Security problem on arbitrated quantum signature schemes 
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Until now, there have been developed many arbitrated quantum signature schemes implemented 
with a help of a trusted third party. In order to guarantee the unconditional security, most of them 
take advantage of the optimal quantum one-time encryption method based on Pauli operators. 
However, we in this paper point out that the previous schemes only provides a security against total 
break and actually show that there exists a simple existential forgery attack to validly modify the 
transmitted pair of message and signature. In addition, we also provide a simple method to recover 
the security against the proposed attack. 

PACS numbers: 03.67.Dd, 03.67.Hk 



I. INTRODUCTION 

Digital signature schemes make possible a variety of 
cryptographic applications such as authentication of mes- 
sage origin, data integrity, non-repudiation and so on. 
However, the advent of quantum computing algorithm 
has fatally weakened the security of the public-key cryp- 
tosystems especially based on the discrete-log or factor- 
ing problems and thus also clearly the security of digital 
signature schemes. Therefore, in order to guarantee the 
security of signature schemes even against the unlimited 
computational power of attackers, it is so meaningful to 
develop quantum analogues of digital signature schemes. 

In 2001, Gottesman and Chuang [l[ provided a quan- 
tum signing and verifying method for digital messages 
by using quantum one-way function and quantum swap- 
ping test Q. Since then, there have been various efforts 
to extend the domain of signable messages to arbitrary 
known and unknown quantum messages. For example, 
Zeng and Keitel 3] proposed an arbitrated quantum sig- 
nature (AQS) scheme based on the correlation of Green- 
Horne-Zeilinger (GHZ) states [|| and quantum symmet- 
ric encryption method [j| 0] , and many variations 0-[Hl 
of this method have been developed until recently. Note 
that the security of these AQS schemes depends on the 
fact that the secret key Kat shared between a signer, 
Alice, and an arbitrator, Trent, is kept secretly from at- 
tackers including a verifier, Bob. That is, they insist 
that it is impossible for an attacker to forge a signature 
of Alice because of the ignorance of the secret key. 

However, we show in this paper that there exists a 
forgery attack to make a new valid signature pair from 
the original pair of the transmitted message and signa- 
ture in almost all AQS schemes using quantum one-time 
encryption, even though a dishonest party does not have 
any information of the secret key Kat- We would like to 
emphasize that when introducing the quantum encryp- 
tion scheme to construct a quantum signature scheme, 



something more than the secrecy of the secret key should 
be considered to prove the security of the quantum sig- 
nature scheme. Actually, the AQS schemes are derived 
from classical arbitrated signature schemes. The reason 
why those classical schemes are secure although they are 
neither provably nor unconditionally secure, more con- 
cretely, the reason why they guarantee the data integrity 
of the transmitted message is that they combine the hash 
function with the encryption in order to intertwine the 
message bits and so detect any kind of tampering. In 
addition, we also provide a simple method to enable the 
AQS protocols to circumvent our existential forgery at- 
tack. 



II. A BRIEF REVIEW OF THE ZK PROTOCOL 

In this section we briefly review the ZK protocol pro- 
posed by Zeng and Keitel [3J instead of introducing all 
AQS protocols. The ZK protocol has actually the most 
complicate structure compared to other variations of the 
protocol. Our attack method described in the next sec- 
tion IIIII to forge the quantum signature in the ZK pro- 
tocol will be more easily applied to other AQS protocols 

~{ni. 



The ZK protocol consists of three phases: Initializing 
phase, Signing phase, Verifying phase. 



A. Initial phase 

Al: Alice and Bob each share secret key strings Kat 
and Kbt with Trent by usin g a practical quantum 
key distribution protocol [12h17| . 

A2: Trent generates the GHZ triplet states, 
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For each GHZ states, Trent holds one particle of 
it for himself and distributes each of the remaining 
two particles to Alice and Bob. 
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B. Signing phase 

Bl: Alice creates a message string of n qubits, |P) = 
Cg)™ =1 |Pj) and two copies of it. 

B2: Alice obtains \R) by applying to a random rotation 
Rkat to one copy of |P) according the secret key 
Kat as follows 

\R) = R KAT \Pi) 

B3: By performing Bell measurement on each particle 
of the other copy of \P) and the GHZ state, Alice 
also obtains 2n-bit string Ma- These measurement 
outcomes are given by the following relation: 



\Pi) ® \GHZ) 
1 
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where |±) = and four Bell states are given 

as |$±) = 1M±IM> and |$±) = M«. 

B4: Alice makes a signature 

\S(P)) = E KAT (M A ,\R)) 

by applying a quantum one-time encryption 
Ek at to Ma and |P), where Bkat = 

B5: Alice sends the quantum message \P) and its cor- 
responding quantum signature |<S(P)) to Bob. 

C. Verifying phase 

CI: By performing the X-basis measurement on his 
particles of the GHZ states, Bob obtains n-bit 
string M b and sends Trent the quantum states 
\Y B ) = E Kbt (M b ,\P),\S(P))) obtained by en- 
crypting Mb and \P), \S) received from Alice ac- 
cording to K B t- 

C2: Trent decrypts |Yb) with Kat and Kbt and then 
obtains \P), Ma, Mb, and \R). Then, he tests 
if the decryption result satisfies Rk at \P) = \R)- 
Of course, if the quantum message \P) is known, 
then an orthogonal measurement will be used for 
the equality test, and otherwise, the swapping test 
will be adopted. 



C3: With the test result, Trent sends back to Bob |P), 
Ma, Mb, and his particles of the GHZ states. 

C4: If the test result is TRUE, Bob adequately applies 
the Pauli operators according to the GHZ relation 
in Eq. (TTJ) in order to recover the original quantum 
message from the particles of GHZ state received 
from Trent. If there were no dishonest actions 
during the previous procedures, then the recovered 
quantum message will be same to the original mes- 
sage and Bob verifies the equality by the same way 
to the test by Trent. 



III. SECURITY ANALYSIS FOR ARBITRATED 
QUANTUM SIGNATURE PROTOCOLS 

In this section, we focus on analyzing the security of 
the ZK protocol. Note that their security flaws are due 
to the usage of the quantum one-time encryption method 
based on Pauli operators. While quantum encryption is 
for hiding quantum information securely, quantum sig- 
nature schemes must have additional functionalities such 
as the tamper-proof of the signed quantum data. 

The present AQS protocols are concentrated on prov- 
ing the security only against the total break attack, that 
is, whether or not the secret key can be distilled by at- 
tackers from the transmitted pair of quantum message 
and signature. Unfortunately, we here show that there 
exists an existential attack which enables a dishonest 
party to modify the quantum message and signature to a 
new valid pair, even though the attacker has no informa- 
tion of the secret key. Of course, if the quantum message 
is publicly known, then this attack will be beyond only 
the existential attack. 



A. The details of the new attack method against 
AQS protocols 

We here introduce an attack method to change the 
pair of quantum message and signature validly without 
the knowledge of the secret key. In this section, we only 
deal with the case that the attacker is the verifier, Bob. 
However, any eavesdroppers not participated in the pro- 
tocol can also perform the same attack. 

The core of our attack method is to show how Bob 
does change the signature pair (|P),|5(P))) to a new 
one (|P'), \S{P'))) without the knowledge of K AT - This 
is accomplished by using the anti-commutativity of non- 
trivial Pauli operators as follows: 



(TxCz = —o z a x 

VyPx = —CTxCT,, 



Since the global phase has no physical meaning in quan- 
tum mechanics, the above relation after all implies that 
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any changes by Pauli operators are commutative with the 
quantum signing process consisting of the quantum one- 
time encryption based only on Pauli operators. There- 
fore, we can regard any Pauli changes after the signing 
process as the Pauli changes before the signing process, 
that is, the quantum signatures generated in the AQS 
protocols can be always forged to quantum signatures of 
the quantum message changed by the Pauli operators. 

We have two types of approaches to show the security 
violations of the ZK protocol according to whether Trent 
makes use of the classical information Ma crucially in 
the verifying phase. 

First, if Ma is not involved in the test of the validity of 
quantum signature as shown in the original paper, then 
the attack is more simple. When Bob receives the pair 
of quantum message and signature from Alice, he selects 
a Pauli operator U and applies it to the signature pair. 
This selection would be implemented intentionally if the 
quantum message is publicly known, and randomly if it 
is unknown. This type of attack is always successful, 
because of the following relation: 

(U\P),U\S(P))) = (\P'),UE Kat (M a ,Rk at \P))) 

= (\P'),E KAT (M A ,aUR KAT \P))) 

= (\P'),E Kat (Ma,PRk at U\P))) 

= (\P'),E Kat (M a ,Rk at \P'))) 

= (|P'),|S(P')}), (2) 

where a and /3 are ±1 and = means the equality up to 
the global phase. 

Otherwise, suppose that Trent recovers \P) from his 
particle of the GHZ state by using the bit information of 
Ma and M b and then check if the result is equal to the 
decrypted result of R\P)- Then, dishonest Bob must find 
an attack to modify both of Ma and R\P) adequately 
in order not to be detected in the verification by Trent. 
We would like to emphasize again that the important 
thing for an attacker is not what the transmitted infor- 
mation pairs are but how to use the relation they have. 
There also exists a deterministic way to modify Ma to 
M'a rightly according to what Bob wants to change the 
transmitted quantum message to. 

For example, suppose that Bob tries to change the 
quantum message from \P) to a x \P) and thus apply a x 
to the quantum part of |5(P)) as in Eq. (0). Let's look 
at the Eq. ([T]) carefully. When Alice and Bob have com- 
pleted Bell measurement and X-basis measurement, re- 
spectively, the measurement outcome of Alice, Ma, and 
the final state of Trent's particle of the GHZ state, \Q), 
have the specific relation, regardless of Bob's measure- 
ment result, Mb- In Eq. ([TJ, the exchange of Ma such 
as |i> + ) <-> \^f + ) and |<£>~) <-> |^ _ ) exactly corresponds 
to the exchange of \Q) by a x , regardless of Mb- If Bob 
forges Ma to M'a by the above exchange relation, then 
Trent will try to recover the original |P) by applying 
a x to \Q). However, this behavior reversely changes the 
original \P) to a x \P) and Bob's attack will success. Note 
that the forgery of classical messages Ma is always pos- 



sible, because the ZK protocol and its variations adopt 
the quantum or classical bitwise one-time pad for them 
and the bit flip of encrypted message is exactly same to 
the encryption of the bit flipped message. 

B. The security recovery against the new attack 

As described in the previous section, the present AQS 
schemes are cracked by our existential forgery attack. 
This is because all quantum operations used for random 
rotation and one-time encryption are only Pauli opera- 
tors which commute or anti-commute with each other. 
For a quantum message \P), the corresponding quan- 
tum signature will be in the form of ER\P) 1 where R 
and E represent a random rotation and an one-time en- 
cryption, respectively. If Bob performs a forgery attack 
with a quantum operation Q, then the quantum signa- 
ture turns to ER\P) and finally becomes R)E^QER\P) 
by Trent's decryption. Therefore, it is necessary for an 
attacker without knowledge of R and E to set Q as a 
quantum operation which commutes with both of E and 
R. This is the main idea of our proposed attack method. 
Fortunately, this also means that if it is possible to pre- 
vent an attack from finding such a quantum operation, 
then we can make the AQS protocols secure. 

We here need to remind the following necessary and 
sufficient condition for the optimal quantum one-time en- 
cryption in [5[. 

A set {pk, Uk}keK where K consists of2n-bit secret 
strings is a quantum encryption set if and only if 
the unitary operator elements form an orthonormal 
basis, and they are all equally likely. 

Consider a set of unitary operators which are given in the 
form of U{I,o- x ,o~ y ,o~ z }V for arbitrary unitary operator 
U and V. This is absolutely an optimal quantum one- 
time encryption, because for any Pauli operator P and 
P', UPV and UP'V have the following Hilbert-Schmidt 
inner product [l8j . 

ti((UPV)^UP'V) = tr(ptp') = 2S P ,p f . (3) 

We call it the (i7, V)-type quantum encryption. In order 
to include the non-commutative property in the quantum 
signing process, we simply take advantage of the ran- 
dom rotation based on Pauli operators and the (I,H)- 
type quantum encryption where H is the Hadamard 

operator defined by H = f j ^1 ) Then the fi- 
nally decrypted quantum signature will be in the form 
of UHVQVHU\P) , where U and V are unknown Pauli 
operators for a random rotation and an one-time encryp- 
tion, respectively. If Bob takes Q a Pauli operator, he is 
able to remove V without the knowledge of V as shown 
in our attack method. However, the Hadamard oper- 
ator H will prevent the spread of our attack method, 
because there is no non-trivial quantum operator to com- 
mute with both of H and a nontrivial Pauli operator. Of 
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course, if we take the (U, V)-type quantum encryption 
randomly and securely instead of using a publicly opened 
and fixed type of quantum one-time encryption, it is triv- 
ial that the security of AQS protocols is increased, even 
though secure key bits arc additionally consumed. 



test proposed in [2| is the only way used for achieving the 
purpose. However as noted in [![, any symmetric states 
can pass the equality test and thus this fact can be used 
maliciously for Alice's disavowal. 



C. Other security issues 

In this section, we introduce other security problems 
which should be additionally considered in most present 
quantum signature schemes. 

• They deal with quantum signature schemes bit- 
wisely or quantum bit-wisely. 

This means that it is always possible for an attacker to 
permute the order of the message and signature pair as 
he wants. For example, although the attacker does not 
know the contents of the message, many messages such 
as official and financial documents usually have a specific 
form and thus the attacker can modify the original mes- 
sage by permuting the important data including date, 
time, the amount of money and so on. 

• Any symmetric states can pass the quantum state 
equality test. 

Regardless of whether the quantum signature schemes 
depends on quantum one-way functions or quantum en- 
cryptions by the shared secret key string, in order to con- 
firm the validity of quantum signature, it is necessary to 
test the equality of the final quantum states generated by 
the different routes and algorithms of the signer, the veri- 
fier, or the arbitrator. Up to date, the quantum swapping 



IV. CONCLUSION 

In this paper, we have pointed out that most of present 
AQS protocols can be cracked by a specified existential 
attack. This is due to the careless usage of quantum 
one-time encryption based on Pauli operators. Gener- 
ally, an encryption method is very useful for hiding a 
data and validating the origin of the data. However, 
in order for it to satisfy the tamper-proof property in a 
signature scheme, it requires more complicate structure 
beyond the bitwise one-time encryption as in classical 
cryptography hash functions are combined with the en- 
cryption to interlace the transmitted message bits and 
detect any modifications of them. 

In addition, to overcome the weakness of the AQS 
schemes against our existential forgery attack, we also 
proposed a method to detect the forgery attack with a 
non-negligible probability for each bit or quantum bit by 
adding the non-commutative property on the signing pro- 
cess by using the extended class of quantum encryption. 
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